​What business continuity return on investment means to me

This year’s Business Continuity Awareness Week theme got me thinking about what return on investment means to me. The question of what business continuity is worth to an organization has been around for at least as long as I have been practising and probably longer. When I first got into BC in 1989, the major Canadian Bank I was working for had recently concluded a huge initiative to build a second data centre, at a cost of $20 million, a tidy sum in those days. With the creation of a second site, built explicitly to house Development and provide disaster recovery for technology, the focus shifted to business recovery and the development of unit plans to address disruption of business functions.

I was not involved in the original cost benefit analysis to justify investment in a state-of-the-art, oversized data centre, featuring lots of redundancy throughout its infrastructure. But I do recall from subsequent discussions that management had no trouble convincing the Board that the outlay was well worth it, just to mitigate the obvious risk of having all systems housed in a single facility without back-up. There was no risk department in those days, so the decision to proceed was not a formal outcome from a risk assessment, just top management applying sound business judgment.

Fast forward a few years and I was now working for a new company providing data processing for multiple banks. Having started off with multiple data centres, thus providing layers of redundancy, the company’s mission was to save money by closing down as many of them as possible and achieving economies of scale to improve the bottom line. That cost benefit analysis must have seemed highly attractive, from a profit standpoint, but what went missing in the strategy was a risk-based perspective on how the downsizing initiative was progressively compromising recovery capabilities. The ultimate irony struck in 1999 when the company decided to downsize its head office staff by 10 per cent in one swipe, to provide expense relief and improve its bottom line, for its owner banks. So my whole department of three was made redundant – no more business continuity function! Simultaneously it was a humiliation and a silver lining. Who wants to work in a company with such narrow vision?

Ever onwards... a few years later still I was working for a financial utility providing clearing and settlement for the exchanges and securities industry. By now, BCM was squarely aligned with risk and top management understood. Investment in good DRP and BCP was a given and under heavy regulatory scrutiny, we were continually seeking improvements. What a joy to work in a company where 2-hour RTO and synchronous data mirroring (0 RPO) were embraced as smart business practices.

Soon after I arrived there, we experienced one of the biggest power failures ever in North America. On the 14th August 2003, an area 1,000 miles wide and a population of 50 million lost grid power on a hot summer afternoon. Happily for us, the failure occurred 11 minutes after completion of the daily settlement cycle, so $250 billion of payments were safe and sound. Two immediate observations: our diesel generators (data centre and office) did their job, so all critical equipment and key business staff remained functional. Had the failure occurred earlier, before the deadline, we would probably have been alright anyway, perhaps experiencing a minor delay in completion of the settlement.

Even though we avoided major impact from that disruptive event, thanks to smart investment in power redundancy and lucky timing, I was embarrassed years later when a Toronto newspaper published a supplement on disaster recovery and featured my experience as a lead story. Front page headline: “Rising from the Blackout.” Sub-title: “How Des O’Callaghan saved his company – and billions of dollars – in the power outage of 2003 with business continuity planning.”

In the inside article “Keeping your cool in meltdown mode,” I received undeserved plaudits for how the incident was handled. The truth is the main reasons we were unscathed were decisions previously made to invest in risk mitigation by implementing high end systems, advanced storage solutions and power redundancy. Yes, we did a good job of managing the crisis and communicating with stakeholders, but I did not actually save the organization a penny. I have come to realize that ROI on business continuity really is just the protection of an organization from unacceptable impacts of adverse events.

Investment in BCM should be viewed in the same way that we regard 'investment' in human resources, or the legal department, or technology infrastructure, or building insurance. Running a healthy, resilient enterprise requires investment based on prudent business judgment, not just financial expenditure. Should we be smart with how we spend money? Of course, but allocation of real resources to strengthen operations and mitigate risk should be considered on the same plane as other investments, such as recruitment, training, marketing and many other corporate expenses. Anything contributing to organizational resilience is a worthwhile investment.

Des O'Callaghan FBCI is one of the leaders of the BCI's Greater Toronto Area Forum and a member of the BCI's Global Membership Council

Related / News

The tried, tested and not always successful counter argument goes like this. If it seems like a lot of time, effort and expenditure to adopt business continuity practices, the cost of these will be as nothing compared to the cost of enduring a catastrophe and its aftermath without a plan.

Mobile, social, cognitive and the Internet of Things - technologies like these are reshaping business, improving client engagement and making employees more productive, flexible, and responsive. Our growing reliance on 24/7 availability also puts us more at risk every day and increases the impacts of an outage.

Resilience professionals around the world… you are a victim of your own success! If your business is resilient (whether by effective planning or pure luck!) you will find that it becomes increasingly difficult to capture the imagination (and attention) of your boardroom.

Organisations may well see an immediate short term return on investment if they face an early disruption and the business continuity plan comes through. Many teams would see this as a result, and be happy. However, this kind of result may well be what we are looking for in a plan, but in my view simple recovery is a superficial return, and not where the real added value lies.

As a local authority our approach to business continuity is a little different; 1) because we have a statutory duty to do it and 2) because we don’t tend to focus on money and profit in the same way a private company would – but that’s not to say that we don’t still get a return on our BC investments.

“What’s the ROI on that?” is one of the most common questions management ask when evaluating business programmes and projects. When it comes to business continuity programmes, the answer is often “Well, there’s not really any ROI unless you experience a major disaster, and we haven’t experienced one yet.”

Ensuring greater resilience in your supply chains creates a greater value for money proposition than a supply chain that is fragile, and frequently creates disruptions to your business. Understanding exactly what you are paying for in terms of resilience, and using that knowledge to create appropriate levels of investment in supply chain resilience will give you a competitive advantage.

I have been involved in disaster business resilience since the 1980's. In that time, I’ve seen it go through the phases of disaster recovery, ​business continuity and now business resilience. Y2K (remember that?!) gave it a major boost – then nothing considerable happened. Terror campaigns in the UK and USA then the pandemic 'flu scare in 2006-7 also kept it in the C-suite's mind.

Let’s be honest, we all get annoyed at the constant challenge to justify our existence. I don’t hold with the commentators who say that ​business continuity is always a cost centre, insurance buy or grudge purchase. It makes me mad... but that’s not difficult.

Preparing for the 'unexpected' is not a new idea. Over the last 50 years, the business continuity industry has grown out of the need to protect businesses from the unexpected and expected interruption. However, when we stop and think about the threats BC professionals must mitigate in today’s BC plans versus 20, 10 or even 5 years ago, all agree there is a new threat landscape.